| Message ID | 1476817128-16108-5-git-send-email-jwcart2@tycho.nsa.gov (mailing list archive) |
|---|---|
| State | Not Applicable |
| Headers | show |
diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c index 038f77a..47dcfaa 100644 --- a/libsepol/cil/src/cil_verify.c +++ b/libsepol/cil/src/cil_verify.c @@ -50,9 +50,15 @@ int __cil_verify_name(const char *name) { int rc = SEPOL_ERR; - int len = strlen(name); + int len; int i = 0; + if (name == NULL) { + cil_log(CIL_ERR, "Name is NULL\n"); + goto exit; + } + + len = strlen(name); if (len >= CIL_MAX_NAME_LENGTH) { cil_log(CIL_ERR, "Name length greater than max name length of %d", CIL_MAX_NAME_LENGTH);
Nicolas Looss found while fuzzing secilc with AFL that the statement "(class C (()))" will cause a segfault. When CIL checks the syntax of the class statement it sees "(())" as a valid permission list, but since "()" is not an identifier a NULL is passed as the string for name verification. A segfault occurs because name verification assumes that the string being checked is non-NULL. Check if identifier is NULL when verifying name. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> --- libsepol/cil/src/cil_verify.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)